SmoothCriminal Update: Additional Sandbox Detection Methods

About three months ago, I had written about a tool which helps you detect sandboxes using cursor movements. I was extremely busy, by the author of this tool – @G4l_B1t was king enough to bring to my notice that it was about a SmoothCriminal update. This update brings in additional sandbox detection methods!

What is SmoothCriminal?

SmoothCriminal is an open source script in Python, that helps you detect sandbox by cursor movement speed and clicking speed and location. It is a simple technique to bypass many sandboxes by monitoring mouse movements. While many tools and malware look if the mouse moved at all, this tool checks if the movement was smooth by applying basic calculus.

More about SmoothCriminal update:

As you already know, this tool employed two modes – mean and max mode that calculate cursor movement. This update includes the addition of two more modes – timing and location that allow you to detect sandbox by monitoring clicking speed and location, which are often hard coded. More about them as under:

Location Mode: Execute with the flag -location The script will accumulate 10 clicking events. Cuckoo sandbox always simulates click in the same location. If all locations are the same and match known the known Cuckoo location – it will declare it is executed in a sandbox.

Timing Mode: Execute with the flag -timing The script will accumulate 10 clicking events. Cuckoo sandbox always simulates click which last 50 milliseconds. If all the clicks are roughly 50 milliseconds long – it will declare it is executed in a sandbox.

Featured Post

Kali Linux 2019.1 is the latest Kali Linux release. This is the first 2019 release, which comes after Kali Linux 2018.4, that was made available in the month of October. This new release includes all patches, fixes, updates, and improvements since the last release – Kali Linux 2018.3, including a shiny new Linux kernel versionRead more about UPDATE: Kali Linux 2019.1 Release!